[WEB4LIB] Does Your Library Use SSL to Protect Patron Data?

[Mark Pecaut]

On Mon, Apr 09, 2001 at 02:06:48PM -0700, Donna Schumann wrote:
> We are in the process of adding a library card application form to our
> web page. As we have talked about the implications of patrons filling
> out an Internet form with name, phone number, address, etc., we are
> coming to the conclusion that we really need to use SSL to protect
> patron privacy. This now has us looking at the lack of security for
> patrons placing holds over the Internet. Our patrons can access the
> catalog using either telnet or WebPac, and when they place holds, their
> library card number, PIN, name, address, phone number, etc. is
> transmitted. We know that the telnet data is being sent as clear text,
> and we suspect that the same is true with WebPac.

You can use ssh and portforwarding to remedy some of this, depending
on what your setup looks like and where people are connecting from.
 
> How are other libraries dealing with this?

They are not.  They should. They are bad. 

> Also, are there any words of wisdom about setting up SSL? (We're using
> IIS.) Do we need to go through VeriSign or can we just use MS
> Certificate Server to generate our own certificates? How much does it
> cost to get a VeriSign certificate?

If you sign your own certificates, the users will get a security
warning about a certificate signed by an unknown certificate authority.
If you have Verisign or Thawte sign them, users won't get a warning because
most browsers recognize Verisign and Thawte.  Thawte is cheaper and charges
about $128 for lower-end certs.  

I must say, it is really refreshing to hear about someone who actually
cares enough to do this.  Good luck.

-Mark

> 
> Thank you! Donna 
> 
> -- 
> Donna Schumann, Computer Application Specialist
> Timberland Regional Library, 415 Airdustrial Way SW, Olympia, WA 98506
> Voice: 360-704-4542  FAX: 360-586-6838  Email:
> schumann at timberland.lib.wa.us